Responding to a privacy breach

WHAT IS A PRIVACY BREACH?

A privacy breach occurs when Ontario’s Personal Health Information Protection Act (PHIPA) has been contravened, for example, where personal health information is stolen, lost or if it is used or disclosed without authority.

PHIPA requires that, as a health information custodian (custodian), you must take reasonable steps to ensure that personal health information in your custody or control is protected against theft, loss and unauthorized use and disclosure, and that the records containing the information are protected against unauthorized copying, modification or disposal. You must also take reasonable steps to ensure that personal health information is not collected without authority, and that records of personal health information are retained, transferred and disposed of in a secure manner.

As a custodian, you may become aware of a privacy breach in a number of ways, including:

  • During the normal course of business.
  • An individual makes a complaint to you.
  • Notification from the IPC when a formal complaint has been filed with our office.
  • The IPC initiates its own investigation.

This post is also available in: French